12 November 2013
Julian Assange and MOONLIGHT MAZE
Underground: Hacking, madness and obsession on the electronic frontier
By Suelette Dreyfus with
Research by Julian Assange
[Excerpt. Mendax is the pseudonym of Julian Assange.]
He did, however, talk to Powerspike on the phone once in a while. The older
hacker's highly irreverent attitude and Porky Pig laugh appealed to him.
But other than those brief talks, Prime Suspect avoided talking on the phone
to people outside the International Subversives, especially when he and Mendax
moved into ever more sensitive military computers.
Using a program called Sycophant written by Mendax, the IS hackers had been
conducting massive attacks on the US military. They divided up Sycophant
on eight attack machines, often choosing university systems at places like
the Australian National University or the University of Texas. They pointed
the eight machines at the targets and fired. Within six hours, the eight
machines had assaulted thousands of computers. The hackers sometimes reaped
100000 accounts each night.
Using Sycophant, they essentially forced a cluster of Unix machines in a
computer network to attack the entire Internet en masse.
And that was just the start of what they were into. They had been in so many
sites they often couldn't remember if they had actually hacked a particular
computer. The places they could recall read like a Who's Who of the American
military-industrial complex. The US Airforce 7th Command Group Headquarters
in the Pentagon. Stanford Research Institute in California. Naval Surface
Warfare Center in Virginia. Lockheed Martin's Tactical Aircraft Systems Air
Force Plant in Texas. Unisys Corporation in Blue Bell, Pennsylvania. Goddard
Space Flight Center, NASA. Motorola Inc. in Illinois. TRW Inc. in Redondo
Beach, California. Alcoa in Pittsburgh. Panasonic Corp in New Jersey. US
Naval Undersea Warfare Engineering Station. Siemens-Nixdorf Information Systems
in Massachusetts. Securities Industry Automation Corp in New York. Lawrence
Livermore National Laboratory in California. Bell Communications Research,
New Jersey. Xerox Palo Alto Research Center, California.
As the IS hackers reached a level of sophistication beyond anything The Realm
had achieved, they realised that progress carried considerable risk and began
to withdraw completely from the broader Australian hacking community. Soon
they had drawn a tight circle around themselves. They talked only to each
Watching the Realm hackers go down hadn't deterred the next generation of
hackers. It had only driven them further underground.
In the spring of 1991, Prime Suspect and Mendax began a race to get root
on the US Department of Defense's Network Information Center (NIC)
computer--potentially the most important computer on the Internet.
As both hackers chatted amiably on-line one night, on a Melbourne University
computer, Prime Suspect worked quietly in another screen to penetrate
ns.nic.ddn.mil, a US Department of Defense system closely linked to NIC.
He believed the sister system and NIC might `trust' each other--a trust he
could exploit to get into NIC. And NIC did everything.
NIC assigned domain names--the `.com' or `.net' at the end of an email
address--for the entire Internet. NIC also controlled the US military's own
internal defence data network, known as MILNET.
NIC also published the communication protocol standards for all of the Internet.
Called RFCs (Request for Comments), these technical specifications allowed
one computer on the Internet to talk to another. The Defense Data Network
Security Bulletins, the US Department of Defense's equivalent of CERT advisories,
came from the NIC machine.
Perhaps most importantly, NIC controlled the reverse look-up service on the
Internet. Whenever someone connects to another site across the Internet,
he or she typically types in the site name--say, ariel.unimelb.edu.au at
the University of Melbourne. The computer then translates the alphabetical
name into a numerical address--the IP address--in this case 220.127.116.11.
All the computers on the Internet need this IP address to relay the packets
of data onto the final destination computer. NIC decided how Internet computers
would translate the alphabetical name into an IP address, and vice versa.
If you controlled NIC, you had phenomenal power on the Internet. You could,
for example, simply make Australia disappear. Or you could turn it into Brazil.
By pointing all Internet addresses ending in `.au'--the designation for sites
in Australia--to Brazil, you could cut Australia's part of the Internet off
from the rest of the world and send all Australian Internet traffic to Brazil.
In fact, by changing the delegation of all the domain names, you could virtually
stop the flow of information between all the countries on the Internet.
The only way someone could circumvent this power was by typing in the full
numerical IP address instead of a proper alphabetical address. But few people
knew the up-to-twelve-digit IP equivalent of their alphabetical addresses,
and fewer still actually used them.
Controlling NIC offered other benefits as well. Control NIC, and you owned
a virtual pass-key into any computer on the Internet which `trusted' another.
And most machines trust at least one other system.
Whenever one computer connects to another across the Net, both machines go
through a special meet-and-greet process. The receiving computer looks over
the first machine and asks itself a few questions. What's the name of the
incoming machine? Is that name allowed to connect to me? In what ways am
I programmed to `trust' that machine--to wave my normal security for connections
from that system?
The receiving computer answers these questions based in large part on information
provided by NIC. All of which means that, by controlling NIC, you could make
any computer on the Net `pose' as a machine trusted by a computer you might
want to hack. Security often depended on a computer's name, and NIC effectively
controlled that name.
When Prime Suspect managed to get inside NIC's sister system, he told Mendax
and gave him access to the computer. Each hacker then began his own attack
on NIC. When Mendax finally got root on NIC, the power was intoxicating.
Prime Suspect got root at the same time but using a different method. They
were both in.
Inside NIC, Mendax began by inserting a backdoor--a method of getting back
into the computer at a later date in case an admin repaired the security
flaws the hackers had used to get into the machine. From now on, if he telnetted
into the system's Data Defense Network (DDN) information server and typed
`login 0' he would have instant, invisible root access to NIC.
That step completed, he looked around for interesting things to read. One
file held what appeared to be a list of satellite and microwave dish
coordinates--longitude, latitudes, transponder frequencies. Such coordinates
might in theory allow someone to build a complete map of communications devices
which were used to move the DOD's computer data around the world.
Mendax also penetrated MILNET's Security Coordination Center, which collected
reports on every possible security incident on a MILNET computer. Those
computers--largely TOPS-20s made by DEC--contained good automatic security
programs. Any number of out-of-the-ordinary events would trigger an automatic
security report. Someone logging into a machine for too long. A large number
of failed login attempts, suggesting password guessing. Two people logging
into the same account at the same time. Alarm bells would go off and the
local computer would immediately send a security violation report to the
MILNET security centre, where it would be added to the `hot list'.
Mendax flipped through page after page of MILNET's security reports on his
screen. Most looked like nothing--MILNET users accidentally stumbling over
a security tripwire--but one notice from a US military site in Germany stood
out. It was not computer generated. This was from a real human being. The
system admin reported that someone had been repeatedly trying to break into
his or her machine, and had eventually managed to get in. The admin was trying,
without much luck, to trace back the intruder's connection to its point of
origin. Oddly, it appeared to originate in another MILNET system.
Riffling through other files, Mendax found mail confirming that the attack
had indeed come from inside MILNET. His eyes grew wide as he read on. US
military hackers had broken into MILNET systems, using them for target practice,
and no-one had bothered to tell the system admin at the target site.
Mendax couldn't believe it. The US military was hacking its own computers.
This discovery led to another, more disturbing, thought. If the US military
was hacking its own computers for practice, what was it doing to other countries'
As he quietly backed out of the system, wiping away his footprints as he
tip-toed away, Mendax thought about what he had seen. He was deeply disturbed
that any hacker would work for the US military.
Date: 25 Oct 1998 04:48:22 -0000
From: Julian Assange <firstname.lastname@example.org>
Subject: Travel Plans
I'm about to escape from the perils of a summer in ``the planet's most livable
city'' (Melbourne, Australia) and go treking about the worlderful world of
snow, ice, slush, and imploding communism.
I'll be hop-scotching though the US, Western/Eastern europe, Russia, Mongolia
and China (in that order). If anyone feels like getting together for beer,
vodka, Siberian bear steak, or just a good yarn, please let me know.
What follows is a (very) approximate itinerary. Home-grown accommodation,
a warm hearth, pulsating ethernet, interesting company (or a pointer to it)
is capable of shifting dates and leagues. I am backpacking through eastern
Europe and Siberia, so no hovel, couch or spare room is too small (even in
the SF bay area), and would be highly thought of :)
28 Oct 98 San Francisco
05 Nov 98 London
06 Nov 98 Frankfurt/Berlin
09 Nov 98 Poland / Slovenia / eastern-europe-on-a-shoe-string
15 Nov 98 Helsinki
16 Nov 98 St. Petersburg
20 Nov 98 Moscow (trans-siberian express) ->
25 Nov 98 Irtutsk
29 Nov 98 Ulan Bator
03 Dec 98 Beijing
A Fierce Domain: Conflict in Cyberspace 1986 to 2012. Jason Healy, Editor.
Cyber Conflict Studies Association. 2013.
One of the enduring frustrations of cyber conflict lies in its tentativeness.
Many of the basic events in its history are shrouded in mystery and heavily
classified. A paucity of open-source information exists, much of it of limited
reliability. Nowhere is this more evident than in the incident known as
MOONLIGHT MAZE, a name given to a series of intrusions, is one of many
cyber security wake-up calls that have highlighted the increasing
role of state authorities in generating, sponsoring, or at least passively
tolerating sophisticated and far-reaching espionage incidents. Russian
involvement has been suspected, but never conclusively proven. Intruders
probed computer systems at the Pentagon, the Department of Energy, private
universities, and research labs searching for military maps, troop
configurations, and military hardware designs.
In 1999, the Federal Bureau of Investigation made public that this espionage
was ongoing, sending shockwaves throughout the cyber security community.
Even though very little unclassified information is currently available about
the incident, the ambiguous and disruptive effects of MOONLIGHT MAZE make
it a signal case in cyber history.
MOONLIGHT MAZE shaped technical and organizational discourse within the US,
and created the perception of a lethal, yet ephemeral and mysterious cyber
threat. While earlier cyber espionage had occurred (such as Cuckoos
Egg and RAHAB), these qualities make MOONLIGHT MAZE a useful marker for measuring
the growth in widespread awareness of professionalized, state-sponsored threats
in cyberspace. Its ambiguity also symbolizes an era of cyber conflict in
which few easy answers can be found concerning the origin, dynamics, and/or
goals of adversarial espionage threats. Additionally, the federal
governments organizational responses to the incident represented the
growing understanding among security executives that defending cyberspace
requires different tools, organizations, and concepts. In this, MOONLIGHT
MAZE actually dove-tailed with a larger focus on adapting the government
to fight transnational threats. This focus would take shape immediately before
and after the 11 September 2001 terrorist attacks.
Establishing Context Before MOONLIGHT MAZE, many high-profile cyber incidents
that targeted United States government networks were attributed to non-state
actors. The 1994 attacks that targeted the United States Air Forces
Rome Labs were the work of two British youngstersone of whom was motivated
by his love of the X-Files. The 1998 SOLAR SUNRISE incident also was carried
out by young hackers in California and Israel. Massive, sustained, and
state-backed cyber operations were not widespread in the late 1990s. However,
this situation was about to radically change.
This is not to say that all or even most pre-MOONLIGHT MAZE incidents were
the work of the stereotypical teen-aged hacker. Rather, the point is that
the massive state espionage which has characterized cyber incidents in most
of the last few years, was not as omnipresent in either public or elite
consciousness prior to the late 1990s.
In 2001, MOONLIGHT MAZE was considered to be the largest cyber attack on
the United States to date. The era of TITAN RAIN and other larger cyber espionage
cases, such as Stuxnet, was yet to come. It is also important to note
cybersecuritys interaction with larger trends in American national
security during the late 1990s. Natural security policymakers were beginning
to recognize that the seductive concepts of the Revolution in Military Affairs
(RMA), Americas technological superiority in the Gulf War, and the
Kosovo conflict disguised a growing threat from state and non-state adversaries
determined to play by different rules.
American adversaries would not continue to invite the kind of security responses
that played best to American strengths. Rather, they would look for cheap
tools and target American weaknesses. Information technology, considered
a strength in conventional warfare, became a source of weakness within the
framework of cyberwarfare and cyber-espionage. Moreover, US policymakers
clearly saw similar challenges to inter-agency boundaries and capabilities
posed by both cyber opponents and more traditional forms of terrorism.
Presidential Decision Directive 63 (PDD 63) led to the creation of the National
Incident Protection Center (NIPC), as an inter-agency body with the power
to safeguard the nations civilian and governmental critical infrastructure
from computer-based attack. SOLAR SUNRISE and other thorny cyber incidents
prompted the creation of Joint Task Force-Computer Network Defense (JTF-CND),
a body trusted with the centralized and coordinated defense of military networks.
These agencies were maturing just as MOONLIGHT MAZE became known to the United
States government, and played crucial roles in resolving the incident. MOONLIGHT
MAZEs emphasis on Russian espionage also did not occur in a geopolitical
vacuum. While geo-strategic competition between the United States and the
Soviet Union ended in the early 1990s, Russian espionage has continued largely
The MOONLIGHT MAZE incident also occurred in a time of rising American awareness
of a growing Russian investment in information warfare capabilities. As adversary
cyber doctrine specialist Lieutenant Colonel (Ret.) Timothy Thomas noted,
Russian military thinkers incorporated the idea of system on system
military operations from the early 1990s onwards.
Russia, though geopolitically weakened, was energetic in projecting power
into cyberspace. Its military doctrine in the period of the late Cold War
recognized the importance of command, control, intelligence, and computers
(C4I) but lacked the material means to realize this military-technical
revolution. However, cyber-espionage and cyberwarfare capabilities
were well within even a greatly weakened Moscows reach. MOONLIGHT MAZE
must be understood within this unique context.
However, some caution should be exercised in pointing toward Russia as the
perpetrators of MOONLIGHT MAZE. The evidence of Russian involvement is still
circumstantial in the unclassified records. The Russians vigorously denied
participation in MOONLIGHT MAZE. This too can be viewed within a larger context.
Russia has often been suspected of direct involvement and/or indirect involvement
in cyber conflict, but direct proof of Russian involvement has always been
frustratingly difficult to assemble.
Sorting out official Russian government activity from that of patriotic hackers
or the large organized crime sector is also difficult, as all three sectors
are both porous and extremely murky. Lastly, the open-source record does
not indicate that there was a strategic or even a tactical warning of the
MOONLIGHT MAZE crisis.
Network defenders, the Department of Defense, and the FBI struggled to understand
the nature of the attack, who carried it out, and why. The fact that these
questions are still largely publicly unanswered suggests problems regarding
not only cyber early warning efforts but also post-incident damage assessments.
Entering the Maze In March 1998, the DoD detected what was then dubbed the
most persistent and serious computer attack against the United
States to date. While no classified networks were targeted, the Non-Classified
Internet Protocol Router Network (NIPRNET) was penetrated.
Network security specialists at the Defense Information Systems Agency discovered
that attackers had entered NIPRNET and other unclassified systems by
tunneling malicious codes within programs for routine computer
operations. This made it more difficult for systems administrators to discover
precisely what was occurring.
The intruders broke into computer networks belonging to the National Aeronautics
and Space Agency (NASA), the Department research agencies and private
laboratories. The attackers were after military-technical information on
The FBI led the investigation, which was coordinated through the National
Infrastructure Protection Center (NIPC), while the newly created Joint Task
Force-Computer Network Defense (JTF-CND) took the lead in coordinating a
response. The incident was codenamed MOONLIGHT MAZE. It is important
to understand that MOONLIGHT MAZE was not a one-off incident, but an extended
campaign that occurred for at least three years, conducted by multiple actors
against defense systems. A Government Accountability Office (GAO) report
characterizes MOONLIGHT MAZE as a stealth campaign of recurring
It was MOONLIGHT MAZEs massive scale and duration that differentiated
the attacks from other cyber incidents during the 1990s. The intruders lifted
thousands of files containing information on technical research, contracts,
encryption techniques, and unclassified specifications of DoD war-planning
systems. In turn, the attack triggered one of the largest and most secretive
cybersecurity investigations in the DoDs history.
Other notable aspects of MOONLIGHT MAZE were its exploitation of the scientific
communitys access to the DoD and the attackers operational
sophistication. In an interview with PBS Frontline in 2003, former Deputy
Security of Defense and later Center for Strategic and International Studies
President John Hamre noted that the attacks exploited the prevailing norm
of openness in the scientific community.
The intrusions were not conducted through the Internet, but instead exploited
the Department of Defenses dependence on a scientific-industrial backbone.
Hamre emphasized that the perpetrators did not hack from laptops, but rather
employed sophisticated hardware with formidable computing power. He also
judged that they possessed excellent operational skills, iteratively adjusting
their techniques in response to countermeasures. Hamre noted that the broadly
DoD-related research community allowed researchers access to large farms
of supercomputers. This vulnerability, Hamre argued, could also potentially
be exploited again:
Evidence of the sophistication of the attackers can also be found in their
use of what was dubbed a distributed coordination approach to
information extraction. The attackers used thousands of servers to overwhelm
a single server. Because many servers are used, each attack can be disguised
as a legitimate connection attempt. This makes it difficult for the
victims software to know that it is under assault, and also helps
camouflage the identity of the attackers.
As will be noted later, DoD audiences also judged that distributed coordination
approaches posed a threat to the supposed perimeter defense model
that dominated DoD information assurance. Efforts to target the adversaries
to disable their operations were considered but were dogged by fears that
such self-defense measures might constitute an act of war, if the attackers
were state-sponsored. Lack of understanding of the nature of the adversary
thus hamstrung what might be considered today an active defense
However, this did not mean that the DoD did not take steps to secure its
networks. The Pentagon also decided that it would reroute its communications
through eight large electronic gateways in order to better facilitate monitoring
of activities and to cut down the attackers opportunities. Passwords
also underwent encryption, and a DoD-wide password change was forced by the
JTF-CND. The Pentagon responded by investing $200 million to purchase new
encryption technology, firewalls, and intrusion detection technologies.
Unfortunately, the response to MOONLIGHT MAZE was also hindered by the fact
that the NIPC itself was still unsteady during the time of the intrusions.
By October 1999, senior agents were being transferred out of the NIPC to
investigate Chinese espionage cases. Congress rejected efforts by the NIPC
to expand its stable of agents. All of this occurred as the FBIs load
of computer crime cases expanded from 200 in 1997 to 800 in 1999, while the
FBI struggled to meet its target of 243 agents pursuing digital crime and
espionage cases full time. NIPC Director Michael Vatis said:
Our bench is thin, very thin
We have put together a good starting lineup.
But if we had several major incidents at the same time, we would be severely
stretched, to put it mildly.
On 7 October 1999, NIPC director Michael Vatis went public. Though earlier
news reports had announced a large cyber campaign against the Pentagon,
Vatis interview and those given by other government officials were
the most significant early disclosures. Vatis not only broke the news of
a large cyber-espionage campaign, but also explicitly suggested a Russian
origin. However, Vatis refused to comment further. Assistant Secretary of
Defense for Command, Control, and Communications Arthur Money declared that
the scale of the incident was alarming and observed that NIPRNET
had been compromised. The intensity of the attacks declined after the public
announcement, compared to the spring and summer of 1999.
An undisclosed government source noted that the attack had been traced to
Internet servers located 20 miles from Moscow. The source also noted that
the pattern of the intrusions suggested that the attackers had a regular
office-like schedule. The attacks occurred regularly from 8 am to 5 pm and
never on Russian holidays. A senior Energy Department official also suggested
that it could be a sponsored intelligence activity, pointing
to the organized nature of the activity. Dion Stemfley, an analyst
working for the Defense Information Systems Agency (DISA), suggested that
the attacks, if not state-conducted, were state-allowed.
Other circumstantial evidence was offered to the media, which apparently
suggested Russian involvement. This included the existence of an unusually
high-speed connection, linking research facilities in Moscow to the United
States. US government sources speculated that it hid a major offensive command
and control network within ostensibly civilian research facilities. Photos
of DoD facilities, network maps, and duty rosters were also alleged to be
present on these networks.
At the time, outside experts began to voice skepticism about foreign state
involvement in the hacking attacks. George Smith, editor of the Crypt Newsletter,
speculated that the attackers were teenagers and accused the DoD of engaging
in hysteria. Allan Thompson, a former Central Intelligence Agency analyst,
argued that it did not make sense for the Russian intelligence service to
tip its hand with a massive operation rather than patiently
developing its capabilities. Finally, a Russian technology analyst voiced
skepticism about the idea that a high-powered connection cable was necessary
to steal photographs of DoD facilities or duty rosters.
Fred Cohen of Sandia National Labs argued that the attack, while innovative,
also owed its success to the DoDs own security deficiencies. The fact
that the attacks were recurring, Cohen argued, had more to do with the continued
inability of the Department of Defense to protect its networks. Sophisticated
attackers, in other words, were not really the problem.
However, as is common in cyber conflicts, these commentators were not able
to review the governments evidence on the seriousness of the incident,
nor why some government voices suggested Russia was responsible. In 2000,
the United States government formally complained to Russia about the hacking
and provided the telephone numbers from which the attacks supposedly originated.
Russian authorities claimed that the numbers were non-operative and denied
any prior knowledge of the attacks. Nonetheless, US officials did travel
to Moscow in an effort to reach out to Russia to investigate the source of
Russia has consistently denied involvement in the MOONLIGHT MAZE incident.
In 2001, a Foreign Affairs article revealed that attackers were not only
continuing to operate in the system, but had also left in place
backdoorscode or instructions that easily enable hackers
to sneak back into a previously compromised system to exfiltrate more data
or inflict damage on a system at a later date. Three years of investigation
had produced little information on the source of the attack.
In April 2003, PBS Frontline ran a special on MOONLIGHT MAZE and other cyber
incidents. Here, it was revealed that network attackers had accessed tens
of thousands of files on military maps, troop configurations, and military
hardware designs. RAND Corporation analyst John Arquilla, also interviewed,
cast doubt on the diagnosis of a Russian attacker, noting that the attacker
could have easily bounced his traffic off Russian computers to confuse defenders.
However, this is a fairly standard rejoinder for most attacks, since it is
technically possible, but the response ignores other lines of evidence. The
FBIs investigation ultimately came to center around whether or not
the attacks were conducted by Russias Academy of Sciences. Government
officials told Newsweek off-the-record that the Russian Academy of
Sciencesan entity linked to the Russian militarywas behind the
The attacks were ultimately traced back to a mainframe computer in Russia,
but the real point of origin remains unknown.433 No further information has
been forthcoming. Implications It is difficult to write of MOONLIGHT MAZEs
implications while so little is currently known about the incident. However,
MOONLIGHT MAZE had a sizable impact on many aspects of cybersecurity and
intelligence. As previously noted, it also remarkably originated many ongoing
policy issues in cybersecurity. The United States is upset over what it views
as aggressive and unrelenting Russian state-sponsored hacking. Russia continues
to deny involvement, while highlighting the risk of what it views as an emerging
information warfare arms race. MOONLIGHT MAZE also was a wake-up
call that aggressive extraction from information resources by state,
state-sponsored, or state-sympathetic organizations would be an enduring
part of the cyber conflict landscape. It also significantly highlighted the
continuing interest of Russia, like China, in American military technology.
Michael Vatis said,
The greatest potential threat comes from foreign state actors who might choose
to engage in information warfare against the United States, because they
realize that they cant take us on in conventional military terms and
would seek to go after what they perceive as our Achilles heel
is our reliance on information technology, more than any other country to
control our critical operations.
Lessons Learned While a distinction is often rightfully made between cyber
warfare and cyber espionage, MOONLIGHT MAZE demonstrated to a significant
degree that the two feed into each other. Was MOONLIGHT MAZE simply another
episode in a long history of spy games? Or did it signal preparation for
a possibly imminent war? The attackers ostensibly targeted unclassified
information, but also allegedly left trapdoors for further infiltration.
Without access to the results of the investigation, it is difficult to tell
what the ultimate aim of the action was. It very well may have been what
Thomas called a long-range cyber reconnaissance to prepare the
ground for more kinetic actions. But it may also have been an act of espionage.
John Arquilla, one of the early thinkers on information warfare and cyber
conflict, put it this way:
Theres an interesting problem here, in that some events, like the Moonlight
Maze intrusions, were simply exploitative in naturegaining access to
information. But the means by which access was gained are observationally
equivalent to the things that a hacker would do if he wanted to intrude and
then engage in vast disruption. So we need to figure out how to deal with
these problems that have to do with exploitation of systems, because thats
our first basis for defense against attacks designed to take these systems
Hence MOONLIGHT MAZE, while an espionage incident, was regarded very much
as a hostile military act. Hamre, briefing Congress on the incident, declared
that the DoD was in the middle of a cyberwar.
Similarly, militaristic language was consistently used in press accounts.
Very few noted that the open-source literature seemed to support the thesis
that it was in fact an act of espionage, not warfare or sabotage.
The investigations sheer scale and minuscule results also foreshadowed
what would come to be a recurring theme in cyber-espionage investigations.
Years of analysis were required to even roughly understand and attribute
MOONLIGHT MAZE to Russian actors. These attackers may have had access to
DoD networks for years without detection.
While iDefense cybersecurity consultant James Adams highlighted the need
for a deterrent strategy, the US government still struggles with
stopping cyber-espionage. If attribution is difficult, and the incidents
do not inflict lethal damage, it can be difficult to effectively deter actors
from aggressively compromising US networks.
The incident clearly brought the problem of attribution to the fore. The
Russian Federation refused to accept responsibility for the incident, and
the circumstantial evidence involved was not sufficient to permit the United
States to impose any political sanctions upon Moscow. The uncertainty surrounding
the incident persists today, as so little information is available on who
was responsible for the incident. It is believed that the attack was at least
connected with the Russian government, but uncertainties plague even this
suspicion. Lack of attribution, in turn, leads to paralysis in active defense
responses to the attack. If the DoD is not sure precisely who is attacking
it, legal implications concerning responses cannot be easily calculated.
Hamres comments that the attack exploited the open norms of the scientific
community also highlighted a problem that continues today in cybersecurity
policy. Hamres point is that attackers exploited an institution with
different security norms than the hierarchal and closed world of the DoD.
In order to enjoy the benefits of scientific-technical partnerships with
research laboratories, however, the military cannot simply dissociate itself
from the scientific community. Navigating the organizational and technical
implications of continued engagement with communities that employ looser
security practices remains a continuing cybersecurity problem.
The attack exposed some substantial weaknesses in DoD computer defenses.
Those weaknesses were cause for substantial alarm. A 2001 Defense Science
Board Task Force report noted that incidents such as MOONLIGHT MAZE constituted
a low and slow attack that challenged the Department of Defense
by exhibiting several characteristics. Low and slow attacks may go undetected
for substantial amounts of time, especially if an insider is conducting or
abetting the attack. The lack of any apparent outcome in a low and slow attack
might blind investigators to the possibility of insertions of logic bombs,
Trojan horses, and viruses that could be implemented at the time and place
of the attackers choosing. Attributing motives for the attacks may
also be difficult, if not impossible, due to such an undetected insertion
not becoming apparent until months or even years after the initial compromise.
The Defense Science Board report similarly raised the issue of
defense-in-depth, which would later become a hot topic among
chief technology officers and cyber strategists. The Defense Science Board
argued that MOONLIGHT MAZE and similar incidents could partially have occurred
because of a prevailing perimeter defense mentality, meaning
the defense is hard on the outside but soft on the inside. Unfortunately,
once the intruders were inside the targeted systems, network defenders had
little idea of what was happening within their own networks.
Many of these themes will be familiar to cyber policy analysts debating
defense-in-depth based approaches, the concept of the Maginot Line
of Information Security, and the idea that network defenders should
assume a breach and act to mitigate it.
Organizational Innovations MOONLIGHT MAZE reaffirmed commonly accepted
organizational lessons derived from the 1997 ELIGIBLE RECEIVER and the 1998
SOLAR SUNRISE incidents. The multi-dimensional nature of these assaults and
the emphasis they put on quick response convinced many that the United States
needed an operational organization capable of directing technical changes
to DoD computers and networks for cyber defense. The Joint Task Force-Computer
Network Defense (JTF-CND), assigned from 1998 to 2004 to a variety of DoD
organizations under many different names, played a key role in the MOONLIGHT
MAZE incident. Most notably, the JTF-CND issued the first military-wide order
to change passwords during the episode.
Though the JTF-CND evolved concurrently with the MOONLIGHT MAZE investigation,
the incident would only bolster what many viewed as the necessity for unity
of command, with one commander being responsible to higher authority.
DoD policymakers also agreed that truly comprehensive incident reporting
was needed, with assessors possessing the ability to accept data from both
automated systems and qualitative products, such as manual incident reports
based on personal observations and analyses. This would speed up and streamline
incident response. The DoDs chief organizational response was to
institutionalize a four-tiered process of incident response. Military reporting
would be handled at the local level through network operations and security
centers (NOSCs) under the control of the Defense Information Systems Agency
(DISA). The primary purpose of this line of reporting is to report problems.
Assessments of the impact from a command control perspective are channeled
through individual Service and regional Computer Emergency Response Teams
(CERTs). Both kinds of incident reports in turn would be sent to what was
then known as the JTF-Computer Network Operations (CNO) and the DISA Global
Network Operations and Security Center (GNOSC).
MOONLIGHT MAZE also played an influential role in a government-wide, pre-9/11
effort to create a counterintelligence czar, who would coordinate
inter-agency efforts against terrorists, spies, and cyber intrusions. In
an interview with a National Journal reporter, Hamre recalled that a conversation
about the MOONLIGHT MAZE incident with the FBIs Deputy Director for
National Security Robert Bryant in 1998 provided the impetus for a new
counterintelligence initiative to respond to unconventional threats.
MOONLIGHT MAZEs domestic targets and (alleged) foreign actors prompted
this conversation about ways in which organizational stovepipes prevented
security agencies from countering unconventional threats. The DoD, Hamre
noted, cannot investigate inside US borders, and the law enforcement community
lacked many tools that the DoD and the CIA possess for operating overseas.
Hamre pushed for the Counterintelligence-21 initiative, a call for a national
counterintelligence executive, empowered to issue a counterintelligence strategy.
Hamre and others efforts eventually resulted in the founding of the
Office of the National Counterintelligence Executive (ONCIX) in 2001.
It remains to be seen whether the public will ever find out what really happened
in MOONLIGHT MAZE. Basic elements of the story remain hidden behind
classification and a shroud of mystery. Unfortunately, future actions and
responses in the cyber world are likely to be more like MOONLIGHT MAZE than
not. Only by learning from the incident will we be better prepared for the
murky, fast-paced, and organizationally complex cyber campaigns of the future.
MOONLIGHT MAZE raised our common awareness of the state-backed attacker and
led to far-reaching policy shifts.